Minutes of the meeting of the Audit and Compliance Committee of the Board of Directors of the Cook 
County Health and Hospitals System held Thursday, July 23, 2015 at the hour of 8:30 A.M. at 1900 W. Polk 
Street, in the Second Floor Conference Room, Chicago, Illinois. 

I. Attendance/Call to Order 

Chairman Velasquez called the meeting to order. 

Present: Chairman Carmen Velasquez and Directors Ada Mary Gugenheim and Emilie N. Junge (3) 

Board Chairman M. Hill Hammock (ex-officio) 

Absent: None (0) 

Additional attendees and/or presenters were: 

Cathy Bodnar — Chief Corporate Compliance and 
Privacy Officer 

Donald Croswell - Washington, Pittman & 

McKeever, LLC 

Randolph Johnston — Associate General Counsel 
Pat Kitchen - McGladrey LLP 


II. Public Speakers 

Chairman Velasquez asked the Secretary to call upon the registered public speakers. 
The Secretary responded that there were none present. 


III. Report from Chief Corporate Compliance and Privacy Officer (Attachment #1) 

Cathy Bodnar, Chief Corporate Compliance and Privacy Officer, reviewed the information contained in her 
report. Dianne Willard, CCHHS Compliance Officer, reviewed the information pertaining to Health 
Insurance Portability and Accountability Act (HIPAA) issues. The Committee discussed the information. 

With regard to the information presented on Reactive Corporate Compliance Issues, Director Gugenheim 
inquired regarding those issues that are validated and substantiated, and the level of severity associated with 
them. Ms. Bodnar indicated that she can present information on those issues at the next Committee meeting. 

During the review of the information regarding ethics obligations, Ms. Bodnar noted that the Accounting of 
Disclosure Survey will be formally rolled out to the Directors at the Board Meeting next week. 


Elizabeth Reidy - General Counsel 
Deborah Santana — Secretary to the Board 
Tom Schroeder - Director of Internal Audit 
John Jay Shannon, MD - Chief Executive Officer 
Dianne Willard - CCHHS Compliance Officer 
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IV. Action Items 

A. Minutes of the Audit and Compliance Committee Meeting, May 21, 2015 

Chairman Velasquez, seconded by Director Gugenheim, moved to accept the minutes 
of the Audit and Compliance Committee Meeting of May 21, 2015. THE MOTION 
CARRIED UNANIMOUSLY. 


B. CCHHS Audited Financial Statements, for the year ended November 30, 2014 (Attachment #2) 

Pat Kitchen, of McGladrey LLP, provided an overview of the matter presented. The Committee reviewed and 
discussed the information. 

Mr. Kitchen stated that there was no management letter presented to the Committee in May as a part of the draft 
preliminary documents that were reviewed, nor was a management letter submitted with the finalized Audited 
Linancial Statements. While there were some recommendations communicated to management, nothing rose to 
the level of significance that McGladrey’s representatives believed were warranted to be presented in written 
form; there was certainly nothing that would rise to the level of a material weakness in internal control or other 
matters that would be required to be presented to this Committee. He noted that there are no material significant 
changes from the May draft documents that were reviewed and discussed; in terms of the core Audited Linancial 
Statements, there were no changes from what the Committee reviewed in May. 

It was noted that the CCHHS Audited Linancial Statements are posted to the CCHHS website immediately after 
the meeting has concluded; they are posted under the Governance section, and are attached electronically to the 
Agenda with the other backup materials. 

Board Chairman Hammock inquired regarding when the Committee will review the work plan for the coming 
year’s audit of the financial statements. Mr. Kitchen responded that this has typically been presented in the fall or 
winter for the upcoming year. 

The Board took action on this item following the adjournment of the closed meeting. 

Director Junge, seconded by Director Gugenheim, moved to receive and file the 
CCHHS Audited Linancial Statements for the year ended November 30, 2014. THE 
MOTION CARRIED UNANIMOUSLY. 


C. Cook County Single Audit Report on Federal Awards, for the fiscal year ended November 30, 2014 

(Attachment #3) 

Mr. Donald Croswell, of Washington, Pittman & McKeever, LLP, provided an overview of the Cook County 
Single Audit Report on Lederal Awards, for the fiscal year ended November 30, 2014. Additionally, he provided 
information on technical updates regarding audit requirements for federal awards. The Committee reviewed and 
discussed the information. 
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IV. Action Items 

C. Cook County Single Audit Report on Federal Awards, for the fiscal year ended November 30, 2014 
(continued) 

Board Chairman Hammock inquired regarding the deficiency in internal controls reported for the Department of 
Public Health / Stroger Hospital grants totaling $5.9 million erroneously recorded as expenditures in the Schedule 
of Expenditures of Federal Awards (SEFA); he asked whether this means that System expenditures were 
overstated by that amount. Mr. Croswell responded in the affirmative. He stated that those particular grants are 
primarily fee-for-service grants, so at the end of the year, the revenues should equal the expenditures received. 
Those grants pay for a portion of the entire salary for those employees involved in providing services under those 
grants; when they close out those grants there may have been some revenues transferred in from the Corporate 
Fund, so the revenue is not equaling expenses. In the reporting structure, they have to report revenues and 
expenditures as being equal, so they make transfers, and a lot of times those transfers are transferred to the next 
grant, which causes either an overage or underage of those expenditures. It is a timing issue; he stated that the 
auditors think there should be a reconciliation of this prior to the auditors coming in to audit this information. In 
the last two years, that reconciliation has not occurred at that point in time. 

Director Gugenheim, seconded by Director Junge, moved to receive and file the Cook 
County Single Audit Report on Federal Awards, for the fiscal year ended November 
30,2014. THE MOTION CARRIED UNANIMOUSFY. 

D. Any items listed under Sections IY and V 


V. Closed Meeting Items 

A. CCHHS Audited Financial Statements, for the year ended November 30,2014 

B. Report from Director of Internal Audit 

C. Discussion of Personnel Matters 

Director Gugenheim, seconded by Director Junge, moved to recess the open meeting 
and convene into a closed meeting, pursuant to the following exceptions to the Illinois 
Open Meetings Act: 5 IECS 120/2(c)(l), regarding “the appointment, employment, 
compensation, discipline, performance, or dismissal of specific employees of the 
public body or legal counsel for the public body, including hearing testimony on a 
complaint lodged against an employee of the public body or against legal counsel for 
the public body to determine its validity,” and 5 ILCS 120/2(c)(29), regarding 
“meetings between internal or external auditors and governmental audit committees, 
finance committees, and their equivalents, when the discussion involves internal 
control weaknesses, identification of potential fraud risk areas, known or suspected 
frauds, and fraud interviews conducted in accordance with generally accepted auditing 
standards of the United States of America.” THE MOTION CARRIED 
UNANIMOUSLY. 

Chairman Velasquez declared that the closed meeting was adjourned. The Committee 
reconvened into the open meeting. 
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VI. Adjourn 


As the agenda was exhausted, Chairman Velasquez declared that the meeting was 
ADJOURNED. 


Respectfully submitted, 

Audit and Compliance Committee of the Board of Directors of the 
Cook County Health and Hospitals System 


Attest: 


xxxxxxxxxxxxxxxxxxxxxx 

Carmen Velasquez, Chairman 


XXXXXXXXXXXXXXXXXXXXXX 
Deborah Santana, Secretary 
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AUDIT & COMPLIANCE 
COMMITTEE OF THE CCHHS 
BOARD OF DIRECTORS 

Corporate Compliance Report 

July 23, 2015 
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& HOSPITALS SYSTEM 

CCHHS 





Meeting Objectives 


To Receive and File: 

■ Fiscal Year to Date (F-YTD) 2015 Corporate 
Compliance Metrics 

■ Detailed Review of Recent HIPAA Privacy and 
Security Issues 
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Reactive Corporate Compliance Issues 

Comparison of First 6 Months F-YTD to F-YTD 

(December 1, 2014 - May 31, 2015) 




































































F-YTD 2015 Issue Breakdown by Category 

371 1 Reactive Corporate Compliance Issues raised in the first 6 months of FY 2015 


Regulatory/Policy 
9% 


Research 

1 % 


Human 

Resource 

12 % 


HC Fraud 
4% 


Conflict of Interest 
7% 


False Claims 
2 % 


HI PA A 
43% 



Accurate Books 
7% 


Cateaory Count 1 

HIPAA 

161 

Accurate Books 

28 

False Claims 

8 

Other 

56 

Human Resources 

44 

Conflict of Interest 

25 

Research 

3 



Regulatory/Policy 

32 

HC Fraud 

14 






1 This is a total count of new issues raised to Corporate Compliancep|k^sg @$134 are validated/substantiated. 
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Unsecured Protected Health Information 

Vulnerable to Breaches 


"Unsecured" means: 

Protected Health Information (PHI) has not been rendered unusable, 
unreadable, or indecipherable to unauthorized individuals. 

■ Electronic - must be encrypted following the requirements set forth within 
the HIPAASecurity Rule. 

■ Paper, film, or other hard copy media has been shredded or destroyed such 
that the PHI cannot be read or otherwise reconstructed. 


© 


COOK COUNTY -HEALTH 
& HOSPITALS SYSTEM 

CC-HHS 


Audit & Compliance Committee of the Board I July 23,2015 


5 


Page 10 of 34 



Breach Analysis Tool 


ft HOSPITALS SYSTEM 

Issue Number: 

CORPORATE COMPLIANCE 

kTEP ONE : Incident Description 


CC-HHS 


CCHHS HIPAA Breach Assessment Tool 


Incident Description (please outline a brief description of the potential breach incident): 



* If the event is not a reportable breach under HIPAA it should still be evaluated as a security incident according to CCHHS internal policies and procedures and against the minors Personal 
Information Protection Act (815 LCS530) 

This document a for CCHHS internal use only. Any unauthorised review, use, disclosure or distribution is prorifcited. 
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Detailed Review of Recent HIPAA Issues 


F-YTD43%or 161 Issues Attributed to HIPAA 



Of the 161 HIPAA Issues, 

15% or 24 incidents were validated privacy breaches 
(7% of the total corporate compliance issues) 


Actual Breaches: 
24 incidents 
affecting 31 




December 2014- May 31, 2015 
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Breach Reporting Process 


m Breach ■ 
B Validated 


External 


Corrective 
Actions 

To affected individual(s) 

Notification 


Internal 


To the Secretary of the 
Department of Health & 
Human Services 




In certain circumstances, 

■ Media notification; and 

■ Posting on our website 




* Operations 

* 


Individuals 


Office for Civil Rights 
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Putting CCHHS in Perspective 


US Department of Health & Human Services Breaches Affecting 500 or More Individuals 1 

October 21,2009 - July 3,2015 


Highest Number of Individuals Affected - All Covered Entities 


Nome of Covered Entity 

State Covered Entity Type 

Individuals 

Affected 

Breach Submission 
Date 

Typo of Breach 

Location of Broached 
Information 

Anthem. Inc. Affiliated Covered Entity 

IN 

Health Plan 

78.800.000 

03/13/2015 

Hackmq/IT Incident 

Network Server 

Premera Blue Cross 

WA 

Health Plan 

11.000.000 

03/17/2015 

Hackmq/IT Incident 

Network Server 

Science Applications International 
Corporation (SA 

VA 

Business Associate 

4.900.000 

11/04/2011 

Loss 

Other 

Community Health Systems Professional 
Services Corporation 

TN 

Business Associate 

4.500.000 

08/20/2014 

Theft 

Network Server 

Advocate Health and Hospitals 

Corporation, d/b/a Advocate Medical Group 

IL 

Healthcare Provider 

4.029.530 

08/23/2013 

Theft 

Desktop Computer 


Highest Number of Individuals Affected - Healthcare Providers Only 


Name of Covered Entity 

Stato 

Covered Entity Type 

Individuals 

Affected 

Broach Submission 

Da to 

Type of Breach 

Location of Breached 
Information 

Advocate Heatth and Hospitals 

Corporation, d/b/a Advocate Medical Group 

IL 

Healthcare Provider 

4.029,530 

08/23/2013 

Theft 

Desktop Computer 

The Nemours Foundation 

FL 

Healthcare Provider 

1.055.489 

10/07/2011 

Loss 

Other 

Sutter Medical Foundation 

AL 

Healthcare Provider 

943,434 

11/17/2011 

Theft 

Desktop Computer 

AHMC Healthcare Inc and affiliated 
Hospitals 

CA 

Healthcare Provider 

729,000 

10/25/2013 

Theft 

Laptop 

EISENHOWER MEDICAL CENTER 

CA 

Healthcare Provider 

514,330 

03/30/2011 

Theft 

Desktop Computer 


https://ocrportal.hhs.gov/ocr/breach/breach report.jsf 


© 


COOK COUNTY -HEALTH 
& HOSPITALS SYSTEM 

CC-HHS 


9 


Page 14 of 34 





























System Compliance Assessment 


Positives 

Negatives 

Organizational awareness 

1 Breaches will continue to occur 

t Increase in inquiries and 
reporting potential issues 


Shift to requests for guidance 


The key to avoiding costly fines and penalties is 

- Show the Department of Health & Human Services Office for Civil Rights 
(OCR) what was in place to prevent the breach, 

- Investigate and mitigate the effects of the breach, and 

- Review the HIPAA compliance program to prevent recurrence. 

CCHHS is on track! 
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Questions? 
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Ethics Obligations - Surveys 


Cook County Requirement 



flickr 


News Room 


Ethics Filings 


Statements of Economic 
Interests 


Disclosure of Economic 
Interests 


Units of Government 
FAQs 

Statements of Economic 
Interests FAQs 


Home H Accessibility Espariol fgcft Polski Search: Q 


COOK COUNTY DAVID 0 R R COOK COUNTY CLERK 

CLERK 

Vital Records Elections - Suburban Cook 

County 


Cook County Clerk > Ethics Filings 


County Board Proceedings 


Lobbyist Online 
• Lobbyist Online FAQs 
■ Lobbyist Training 
Campaign Disclosures 


Statei 


submit your 


hN I hK 


ent of Economic 


st fi er hst 


Ethics Filing Online 

In accordance with the Illinois Government al 
Act , more than 900 units of government and 
22,000 public officials and employee§*\ust sul 
ethics filings to the Clerk's 
agencies provide a list of pej 
Statement of Economic Jptt 
2011, those people 
questionnaires 
instant acci 


Statement of Economic Interests 

Government officials and 
employees required to file log 
in here. 


upload instcuetiens 
nic Interests filing instructions 


of Economic Interest Filing 


Expected Roll Out: Soon 
Due Date: May 1st 


CCHHS Requirement 



Accounting of Disclosures Filing 
Roll Out: May Now! 

Due Date: kme August 31, 2015 
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Please see section 13402(h)(2) of Public Law 111-5 for more information regarding approved technology and methodology. 
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Communication with Those Charged with 

Governance 

For the year ended November 30, 2014 
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Communications with Those Charged with 
Governance 


Auditor’s Responsibility 


> Perform the audit in accordance with 
GAAS, the standards applicable to 
financial audits contained in GAS issued 
by the Comptroller General of the United 
States and OMB Circular A-133. 

> Form and express an opinion about 
whether the schedule of expenditures of 
federal awards is prepared, in all material 
respects, in conformity with the 
applicable financial accounting 
framework, and, about whether Cook 
County, IL (the County) complied, in 
all material respects, with the types of 
compliance requirements that could have 
a direct and material effect on each of its 
major Federal programs. 


This information is intended solely for the use of the Board of Commissioners and management of the County and is not 
intended to be and should not be used by anyone other than these specified parties. 
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J Communications with Those Charged with 
Governance (Continued) 


❖ Review of Internal Controls 

> We considered the County’s internal 

control over financial reporting as a basis 
for determining audit procedures that are 
appropriate in the circumstances, but not for 
the purpose of expressing an opinion on the 
effectiveness on the County’s internal 
control over financial reporting. Our review 
noted three (3) significant deficiencies in 
internal control over compliance. 

❖ Independence 

> We are independent of the County in 

accordance with the American Institute of 
Certified Public Accountants (AICPA) and 
General Accountability Office (GAO) rules. 
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Communications with Those Charged with 
Governance (Continued) 


❖ Disagreements with 
Management 

All accounting and reporting issues have 
been resolved without disagreement with 
management. 

❖ Consultations with other 

accountants 

We are not aware of any such consultations. 

❖ Major issues (accounting, 
auditing or reporting) 
discussed with management 
prior to our (initial or 
recurring) retention. 

> There were none. 

❖ Difficulties encountered in 
performing the audit 

> During our audit we were given access to 

records, documents and other supporting 
data and we were furnished with all 
required information and explanations 
without restriction. 

❖ Management representation 
letter 

> We were provided a management 

representation letter dated May 31, 2015. 
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Single Audit Summary 



> 


Summary 

of 


Auditor’s 

Results 


> 

> 

> 


> 


The auditor's report expresses an unmodified (clean) opinion on the 
schedule of expenditures of federal awards of the County. 

The auditor's report on compliance for the major federal award programs 
for the County expresses an unmodified opinion on the major programs’ 
compliance with the applicable requirements. 

No material weaknesses in internal control over major programs noted. 
As it relates to the CCHHS, the major program tested was the Special 
Supplemental Nutrition Program for Women, Infants, and Children 
(WIC) (10.557) along with Procurement, Debarment and Suspension. 
There were three (3) significant deficiencies in internal control over 
major programs noted: 

• During our test of 8 WIC monthly financial reports, we noted no 
evidence of supervisory review, nor was there documentary evidence 
of written policies and procedures for the supervisory review of 
financial reports. (Finding 2014-002) 

• During our test of 12 Federally-funded contracts, we noted one (1) 
contract did not contain evidence of 1) child support verification; 2) 
verification of all taxes and fees; and 3) compliance with MBE/WBE 
requirements. (Finding 2014-010) 










^^^j^Single^udit^Summary(Coiitiiiiie^ 


Summary of 


• Department of Public Health/Stroger Hospital grants totaling 
$5.9 million were erroneously recorded as expenditures in 

Auditor’s 


the SEFA. (Finding 2014-011) 

Results 

(Continued) 

> 

The threshold for distinguishing Type A and Type B programs 


> 

was $3,000,000. 

The County was not determined to be a low risk auditee 



because of deficiencies in internal control over financial 
reporting reported as material weaknesses in the two preceding 
years. 
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Technical Updates 


Appendix A 

♦♦♦ Super Circular (http://www.gpo.gov/fdsys/pkg/FR-2013-12-26/pdf/2013- 

30465.pdf) 

> 

Applicability. For awards issued on or after December 26, 2014, and for audits of fiscal 
years beginning after December 26, 2014. 

> 

The guidance raises the minimum threshold for distinguishing between Type A and 

Type B programs to $750,000. ($3 million for the County) 

> 

The guidance explicitly states that internal control over compliance should follow 
existing internal control guidance of GAO and COSO. 

> 

Required certification to be included with annual and final fiscal reports or vouchers 
requesting payments. 

> 

The percentage of coverage for auditees that are not low-risk will be reduced to 40% 
from 50%, and to 20% from 25% for low-risk auditees. 

> 

Recipients will be required to report the amounts passed through to subrecipients by 
program on the SEFA. 

> 

The reporting package, including the audited financial statements, will be publicly 
available on the Federal Clearinghouse website. 
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Technical Updates(Continued) 


Appendix B 

COSO Update articulates principles of effective internal control 


Control Environment 


Risk Assessment 


Control Activities 




1. Demonstrates commitment to integrity and ethical values 

2. Exercises oversight responsibility 

3. Establishes structure, authority and responsibility 

4. Demonstrates commitment to competence 

5. Enforces accountability 

6. Specifies suitable objectives 

7. Identifies and analyzes risk 

8. Assesses fraud risk 

9. Identifies and analyzes significant change 


10. Selects and develops control activities 

11. Selects and develops general controls over technology 

12. Deploys through policies and procedures 

13. Uses relevant information 

14. Communicates internally 

15. Communicates externally 

16. Conducts ongoing and/or separate evaluations 

17. EfM0tt3§ sfidAommunicates deficiencies 
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CCHHS and Public Health Programs 



Federal Program Name and Expenditure Amount 

Public 

Health and 

County 

Hospitals 

Federal 

Programs 

> WIC - $12,760,156 ($8,967,325 - noncash) 

> Coal Miner’s Respiratory Impairment Treatment 
Clinics and Services - $278,057 

Hospitals Preparedness Program (HPP) and Public 
Health Emergency preparedness (PHEP) aligned 
Cooperative Agreements - $1,168,631 

> Project Grants and Cooperative agreements for 
Tuberculosis Control Programs - $120,000 

> Immunization Coop. Agreements -$212,397 

> Centers for Disease Control and prevention 
Investigations and Tech. Asst. - $190,331 

> HIV Prevention Activities - $207,817 

> Social Services Btoel^Cft&nts - $717,080 ■ 
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